Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.4.637

Quantitative Risk Assessment on a Decentralized Cryptocurrency Wallet with a Bayesian Network  

Yoo, Byeongcheol (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University)
Kim, Seungjoo (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.4, 2021 , pp. 637-659 More about this Journal
Abstract
Since the creation of the first Bitcoin blockchain in 2009, the number of cryptocurrency users has steadily increased. However, the number of hacking attacks targeting assets stored in these users' cryptocurrency wallets is also increasing. Therefore, we evaluate the security of the wallets currently on the market to ensure that they are safe. We first conduct threat modeling to identify threats to cryptocurrency wallets and identify the security requirements. Second, based on the derived security requirements, we utilize attack trees and Bayesian network analysis to quantitatively measure the risks inherent in each wallet and compare them. According to the results, the average total risk in software wallets is 1.22 times greater than that in hardware wallets. In the comparison of different hardware wallets, we found that the total risk inherent to the Trezor One wallet, which has a general-purpose MCU, is 1.11 times greater than that of the Ledger Nano S wallet, which has a secure element. However, use of a secure element in a cryptocurrency wallet has been shown to be less effective at reducing risks.
Keywords
Risk Assessment; Threat Modeling; Cryptocurrency Wallet; Bayesian Network; Attack Tree;
Citations & Related Records
연도 인용수 순위
  • Reference
1 N. Poolsappasit, R. Dewri and I. Ray, "Dynamic security risk management using bayesian attack graphs," in IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 61-74, Jan. 2012.   DOI
2 M. Guri and Y. Elovici, "Bridgeware: the air-gap malware," Commun. ACM, vol. 61, no. 4, pp. 74-82, Mar. 2018.   DOI
3 D. Nedospasov, T. Roth and J. Datko, "wallet.fail", 35th Chaos Communication Congress, https://wallet.fail, Dec. 2018.
4 G. Miraje, M. Paulo and S. Leonel, "Trustzone-backed bitcoin wallet," Proc. The Fourth Workshop on Cryptography and Security in Computing Systems, pp. 25-28, Jan. 2017.
5 W. Dai, J. Deng, Q. Wang, C. Cui, D. Zou and H. Jin, "SBLWT: a secure blockchain lightweight wallet based on Trustzone," in IEEE Access, vol. 6, pp. 40638-40648, Jul. 2018.
6 Y. Liu et al., "An efficient method to enhance bitcoin wallet security," in 2017 11th IEEE International Conference on Anti-counterfeiting, Security, and Identification (ASID), Xiamen, pp. 26-29, Oct. 2017.
7 P. Marek, et al., "BIP 39: Mnemonic code for generating deterministic keys." https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki, Sep. 2013.
8 B. Schneier, "Attack trees," Dr. Dobb's journal, vol. 24, no. 12, pp. 21-29, Dec. 1999.
9 B. Joachim, and N. Heninger, "Biased nonce sense: lattice attacks against weak ECDSA signatures in cryptocurrencies," in International Conference on Financial Cryptography and Data Security. Springer, Cham, pp. 3-20, Feb. 2019.
10 J. Hoenicke, "Extracting the private key from a TREZOR," https://jochen-hoenicke.de/crypto/trezor-power-analysis, Nov. 2018.
11 Pappaterra, M. J. "Bayesian networks for online cybersecurity threat detection," Machine Intelligence and Big Data Analytics for Cybersecurity Applications, vol. 919, pp. 129-159, Dec. 2020.   DOI
12 G. Marco, M. Iacono, and S. Marrone. "Exploiting bayesian networks for the analysis of combined attack trees," Electronic notes in theoretical computer science, vol. 310, pp. 91-111, Jan. 2015.   DOI
13 W. Pieter, "BIP 32: Hierarchical deter ministic wallets," https://github.com/genjix/bips/blob/master/bip-0032.md, Feb. 2012.
14 Er-Rajy, L., et al., "Blockchain: bitcoin wallet cryptography security, challenges and countermeasures," Journal of Internet Banking and Commerce, vol. 22, no. 3, pp. 1-29, Dec. 2017.
15 H. Zhang, F. Lou, Y. Fu and Z. Tian, "A conditional probability computation method for vulnerability exploitation based on CVSS," 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC), pp. 238-241, Jun. 2017.
16 A. Bobbio, L. Portinale, M. Minichino, E. Ciancamerla, "Improving the analysis of dependable systems by mapping fault trees into Bayesian Networks," in Reliability Engineering and System Safety, vol. 71, no. 3, pp. 249-260, Mar. 2001.   DOI
17 N. Satoshi, "Bitcoin: A peer-to-peer electronic cash system," https://bitcoin.org/bitcoin.pdf, Nov. 2008.
18 G. Wood, "Ethereum: a secure decentralised generalised transaction ledger," https://ethereum.github.io/yellowpaper/paper.pdf, Dec. 2020.
19 V. Buterin, "A next-generation smart contract and decentralized application platform," https://cryptorating.eu/whitepapers/Ethereum/Ethereum_white_paper.pdf, Apr. 2014.
20 A. R. Sai, J. Buckley and A. Le Gear, "Privacy and security analysis of cryptocurrency mobile applications," 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ), pp. 1-6, Mar. 2019.
21 E. Almutairi and S. Al-Megren, "Usability and security analysis of the KeepKey wallet," 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 149-153, May. 2019.
22 D. He et al., "Security analysis of cryptocurrency wallets in Android-based applications," IEEE Network, vol. 34, no. 6, pp. 114-119, Dec. 2020.
23 Electric Coin Company, "Wallet app threat model," https://zcash.readthedocs.io/en/latest/rtd_pages/wallet_threat_model.html, Jul. 2019.
24 SWhonix, "Cryptocurrency hardware wallet: threat model," https://www.whonix.org/wiki/Hardware_Wallet_Security, Dec. 2020.
25 T. Hornby, "Invariant-centric threat modeling," https://github.com/defuse/ictm, Oct. 2019.
26 M. Guri, "BeatCoin: leaking Private keys from air-gapped cryptocurrency wallets," 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1308-1316, Jul. 2018.